Primers

Linux 101 Command Line Cheat Sheet

Tab-completion:

Folks who are new to the Unix/Linux command line often attempt to type everything by hand. This may work well if you type quickly and accurately. Most of us are much better off using tab completion.

Note that Windows PowerShell also supports tab completion, but it handles ambiguity differently. See the PowerShell cheat sheet for more information.

Type the following, and then press the key:

cat /etc/pas

Then press <TAB> .

Note that it autocompletes to /etc/passwd.

Now try tabbing with ambiguity:

cd ~/Do

Then press <TAB> <TAB>.

Note that it offers two choices: Documents/ Downloads/.

Now add a "w" and press <TAB>:

cd ~/Dow

Press <TAB> . It autocompletes to ~/Downloads/.

cat

Display a file:

cat /etc/passwd

Concatenate (cat) /etc/issue and /etc/hostname, create /home/student/issue-and-hostname.txt:

cat /etc/issue /etc/hostname > /home/student/issue-and-hostname.txt

cd

Change Directory (cd) to the /tmp directory:

cd /tmp

Change to the home directory. The following commands are equivalent for the "student" user: "~" means home directory (for example: /home/student):

cd
cd ~
cd /home/student

Change to the parent directory. For example: if you are in /tmp/subdirectory/, this will change your working directory to /tmp/:

cd ..

echo

Print (echo) the string "Cylon":

echo Cylon

Create or overwrite the file example.txt, containing the string "Cylon":

echo Cylon > /home/student/example.txt

Append the string "Galactica" to the file example.txt:

echo Galactica >> /home/student/example.txt

ls

List the files in the current directory (equivalent to the cmd.exe "dir" command):

ls

List the files in the current directory, long output (-l), all files including "hidden" files that begin with a "." (-a):

ls -la

List the files in the current directory, long output (-l), all files (-a), sort by time (-t):

ls -lat

List the files in the current directory, long output (-l), all files (-a), reverse (-r) sort by time (-t):

ls -lart

networking

Show network interface configuration:

ifconfig

Show network interface configuration using "ip":

ip a

Restart networking:

sudo /etc/init.d/networking restart

passwd

Change your password:

passwd

ping

ping a host forever (until CTRL-C is pressed), see if it is up (and unfiltered):

ping 127.0.0.1

ping a host 3 times, see if it is up (and unfiltered):

ping -c3 127.0.0.1

pwd

Print Working Directory (pwd), show the current directory:

pwd

sudo

Run a command as root (password is "Security511):

sudo cat /etc/shadow

Open a root bash shell (password is "Security511):

sudo bash

Linux Command Line Cheat Sheet

awk

Print the length of each line of a file (/etc/passwd in this case), followed by the line itself:

cat /etc/passwd | awk '{print length, $0;}'

Print the 2nd field from a file using the string 'Mozilla/' as a delimiter:

cat /labs/bc/access.log | awk -F "Mozilla/" '{print $2}'

Print the last colon delimited field:

cat /etc/passwd | awk -F: '{print $(NF)}'

Print the 2nd-to-last colon delimited field:

cat /etc/passwd | awk -F: '{print $(NF-1)}'

checksums

Generate the MD5 checksum of a file:

md5sum /etc/passwd

Generate the SHA1 checksum of a file. The three following commands are equivalent:

sha1sum /etc/passwd
shasum /etc/passwd
shasum -a1 /etc/passwd

Generate the SHA-256 checksum of a file:

shasum -a256 /etc/passwd

Generate the SHA-512 checksum of a file:

shasum -a512 /etc/passwd

cut

Cut the 6th field from a file, using the space as a delimiter:

cat /var/log/dpkg.log | cut -d' ' -f2

Cut the 2nd and 3rd field from a file, use the comma as a delimiter:

cat /labs/honeytokens/pilots.csv | cut -d, -f2-3

Cut beginning at the 7th field, to end of line, using the space as a delimiter:

cat /var/log/auth.log | cut -d' ' -f6-

Cut the 6th field, using the double-quote (") as a delimiter, and escaping it to treat it as a literal character:

cat  /labs/bc/access.log  | cut -d\" -f6

Cut the beginning at the 11th character, to end of line:

ifconfig | cut -c11-

file

Determine the file type, using the file's magic bytes:

file /usr/local/bin/*

grep

Search for lines containing the string "bash", case sensitive:

grep bash /etc/passwd

Search for lines containing the string "bash", case insensitive:

grep -i bash /etc/passwd

Search for lines that do not contain the string "bash", case insensitive:

grep -vi bash /etc/passwd

Search for lines containing the string "root", case sensitive, plus print the next 5 lines:

grep -A5 root /etc/passwd

Print the first 10 lines of a file:

head -n 10 /etc/passwd

ngrep

Search /pcaps/blackhole.pcap for the string "This program cannot be run in DOS mode":

ngrep -qI /pcaps/blackhole.pcap "This program cannot be run in DOS mode"

sed

grep for lines containing "Mozilla", then change "Mozilla" to "MosaicKilla":

grep Mozilla /labs/bc/access.log | sed "s/Mozilla/MosaicKilla/g"

grep for lines containing "Mozilla", then delete all characters up to and including "Mozilla":

grep Mozilla /labs/bc/access.log | sed "s/^.*Mozilla//g"

grep for lines containing "Mozilla", then delete all characters that precede "Mozilla":

grep Mozilla /labs/bc/access.log | sed "s/^.*Mozilla/Mozilla/g"

sort

The following examples will run strings on a file, search for user-agent (ignore case), and use various sort options

Simple alphabetic sort (may include duplicates):

strings /pcaps/fraudpack.pcap | grep -i user-agent | sort

Sort and unique lines. The two following sets of commands are equivalent:

strings /pcaps/fraudpack.pcap | grep -i user-agent | sort -u
strings /pcaps/fraudpack.pcap | grep -i user-agent | sort | uniq

Get a numeric count of each unique entry:

strings /pcaps/fraudpack.pcap | grep -i user-agent | sort | uniq -c

Get a numeric count of each unique entry, perform a numeric sort of that count:

strings /pcaps/fraudpack.pcap | grep -i user-agent | sort | uniq -c | sort -n

Sort and unique lines, print the length of each unique line followed by the line itself, perform a reverse numeric sort of that count:

strings /pcaps/fraudpack.pcap | grep -i user-agent | sort -u | awk '{print length, $0}' | sort -rn

Sort on the the second comma separated field:

cat /bonus/alexa/top-1m.csv | sort -t, -k2

tshark

Open /pcaps/zeus-gameover-loader.pcap and apply the display filter http.request.method:

tshark -r /pcaps/zeus-gameover-loader.pcap -Y "http.request.method"

Sort TCP conversations by bytes transferred:

tshark -n -r /pcaps/virut-worm.pcap -q -z conv,tcp

xxd

xxd creates a hexdump, or converts a hexdump into binary. A lot of malware hex-encodes web traffic or malicious payloads (such as DOS executables) in order to avoid signature matching. Useful hex patterns to look for are 4d5a90 (the magic bytes for a DOS executable: "MZ<90>"), and "DOS mode" (444f53206d6f6465, see commands below).

xxd cannot natively handle percent-encoded hex, such as "%63%67%69%2D%62%69%6E", but can if the percent signs are removed (see below).

Convert the string "DOS mode" to hex, grouped in sets of 4 hex characters (default):

echo -n "DOS mode" | xxd

Convert the string "DOS mode" to hex, ungrouped:

echo -n "DOS mode" | xxd -g0

Convert the hex string "444f53206d6f6465" to binary:

echo 444f53206d6f6465 | xxd -r -p

Use sed to remove the percent signs from the percent-encoded hex string "%63%67%69%2D%62%69%6E", then translate to binary:

echo "%63%67%69%2D%62%69%6E" | sed "s/\%//g" | xxd -r -p

Last updated